Arnold Law Firm Representing Consumer Affected by Salesforce, Hanna Andersson Data Breach

hands-typing-data-breach-locksArnold Law Firm attorneys M. Anderson Berry and Leslie Guillon are representing Bernadette Barnes in a new lawsuit against Salesforce.com Inc. and children's clothing company Hanna Andersson. The lawsuit concerns a data breach at both companies between September and November 2019.

The lawsuit claims these companies failed to protect users' data, give cybersecurity warnings and take steps to keep platforms safe. The lawsuit claims these companies violated the California Unfair Competition Law (UCL), Business and Professions Code § 17200.

On Jan. 15, Hanna Andersson announced the data breach, telling the public that hackers had stolen customer names, addresses, credit card numbers, CVV codes, credit card expiration dates and other information about customers. According to Barnes' complaint, this information was put up for sale on the dark web after the Salesforce e-commerce platform was infected with malware.

Salesforce and Hanna Andersson failed to discover the breach for nearly three months, according to Barnes. The lawsuit alleges Salesforce delayed announcing the data breach, which affected residents of every state, including 10,000 residents of California.

Allegations in the Lawsuit

The lawsuit, filed in the Northern District of California, alleges these companies' actions violated the California Consumer Privacy Act (CCPA), which took effect on January 1st, and the California Unfair Competition Law. The lawsuit says Salesforce and Hanna Andersson failed to maintain reasonable security procedures and practices in line with the CCPA.

However, the lawsuit does not say there is an express cause of action for a violation of the CCPA, only alleged violations of this new law. This may allow them to counter challenges to the plaintiffs' standing to file this lawsuit because they did not suffer an injury-in-fact.

The lawsuit says by storing personal information in an unsecure environment, the two companies took part in unlawful acts and practices. The lawsuit also says the defendants broke the law by failing to disclose the data breach in a timely and accurate manner, which is required under the CCPA.

The plaintiffs also hope to boost their standing claiming the personal information that was scraped has lost value. They claim the hackers responsible for the data breach obtained $15 or more in stolen-data-compensation per person. The plaintiffs also say they lost opportunity costs and out-of-pocket expenses, depriving them of their rights under the CCPA and UCL.

The new privacy law gives consumers a private right of action that makes it easier for them to pursue damages for things like data breaches. Residents of California may be able to obtain $750 for each breach of data-security protections. According to the lawsuit, about 10,000 California residents may have been impacted by the data breach, so this case could potentially be worth millions of dollars.

Barnes' case may seem like a perfect test case for a cause of action under the CCPA, however, there are some unclear aspects of the law that may be a reason why this is not a CCPA cause of action.

For example, the CCPA says it protects California consumers' personal information that is nonencrypted and nonredacted. The CCPA also says 30 days' notice is required and the defendant must have an opportunity to correct the problem before a CCPA lawsuit can be filed. Filing a lawsuit is prohibited if the company that is accused is able to fix the data breach.

This raises a few questions, such as:

  • Do plaintiffs have standing to file a lawsuit if stolen data was encrypted and hackers bypassed encryption?
  • Is removal of malware enough to satisfy the requirement of trying to cure the data breach?

The Barnes lawsuit may pave the way for privacy class action lawsuits, particularly if the court gives a consumer-friendly ruling or makes interpretations of the CCPA or any of the unresolved issues brought up in the case.

Damages Being Sought

The lawsuit against Hanna Andersson and Salesforce is seeking declaratory judgment, payment of credit monitoring for victims of the data breach, statutory damages, punitive damages, restitution, disgorgement and attorney's fees and costs.

The lawsuit also gives Barnes the right to amend it later to potentially allow a California class to seek damages and relief.

New Rules for Businesses

The new laws make it much easier for consumers to pursue damages based on negligent data security. Consumers in California now have much more control of which companies can collect their data and how it will be used.

The law states that if a business chooses to collect personal information from a consumer, it must be disclosed to the consumer. The business must also disclose the details of the information being collected and the purpose and intended use for the information.

Consumers can also request to have their data deleted from companies' databases.